Loading...
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 *
4 * Bluetooth support for Intel devices
5 *
6 * Copyright (C) 2015 Intel Corporation
7 */
8
9#include <linux/module.h>
10#include <linux/firmware.h>
11#include <linux/regmap.h>
12#include <asm/unaligned.h>
13
14#include <net/bluetooth/bluetooth.h>
15#include <net/bluetooth/hci_core.h>
16
17#include "btintel.h"
18
19#define VERSION "0.1"
20
21#define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
22
23int btintel_check_bdaddr(struct hci_dev *hdev)
24{
25 struct hci_rp_read_bd_addr *bda;
26 struct sk_buff *skb;
27
28 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
29 HCI_INIT_TIMEOUT);
30 if (IS_ERR(skb)) {
31 int err = PTR_ERR(skb);
32 bt_dev_err(hdev, "Reading Intel device address failed (%d)",
33 err);
34 return err;
35 }
36
37 if (skb->len != sizeof(*bda)) {
38 bt_dev_err(hdev, "Intel device address length mismatch");
39 kfree_skb(skb);
40 return -EIO;
41 }
42
43 bda = (struct hci_rp_read_bd_addr *)skb->data;
44
45 /* For some Intel based controllers, the default Bluetooth device
46 * address 00:03:19:9E:8B:00 can be found. These controllers are
47 * fully operational, but have the danger of duplicate addresses
48 * and that in turn can cause problems with Bluetooth operation.
49 */
50 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
51 bt_dev_err(hdev, "Found Intel default device address (%pMR)",
52 &bda->bdaddr);
53 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
54 }
55
56 kfree_skb(skb);
57
58 return 0;
59}
60EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
61
62int btintel_enter_mfg(struct hci_dev *hdev)
63{
64 static const u8 param[] = { 0x01, 0x00 };
65 struct sk_buff *skb;
66
67 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
68 if (IS_ERR(skb)) {
69 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
70 PTR_ERR(skb));
71 return PTR_ERR(skb);
72 }
73 kfree_skb(skb);
74
75 return 0;
76}
77EXPORT_SYMBOL_GPL(btintel_enter_mfg);
78
79int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
80{
81 u8 param[] = { 0x00, 0x00 };
82 struct sk_buff *skb;
83
84 /* The 2nd command parameter specifies the manufacturing exit method:
85 * 0x00: Just disable the manufacturing mode (0x00).
86 * 0x01: Disable manufacturing mode and reset with patches deactivated.
87 * 0x02: Disable manufacturing mode and reset with patches activated.
88 */
89 if (reset)
90 param[1] |= patched ? 0x02 : 0x01;
91
92 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
93 if (IS_ERR(skb)) {
94 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
95 PTR_ERR(skb));
96 return PTR_ERR(skb);
97 }
98 kfree_skb(skb);
99
100 return 0;
101}
102EXPORT_SYMBOL_GPL(btintel_exit_mfg);
103
104int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
105{
106 struct sk_buff *skb;
107 int err;
108
109 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
110 if (IS_ERR(skb)) {
111 err = PTR_ERR(skb);
112 bt_dev_err(hdev, "Changing Intel device address failed (%d)",
113 err);
114 return err;
115 }
116 kfree_skb(skb);
117
118 return 0;
119}
120EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
121
122int btintel_set_diag(struct hci_dev *hdev, bool enable)
123{
124 struct sk_buff *skb;
125 u8 param[3];
126 int err;
127
128 if (enable) {
129 param[0] = 0x03;
130 param[1] = 0x03;
131 param[2] = 0x03;
132 } else {
133 param[0] = 0x00;
134 param[1] = 0x00;
135 param[2] = 0x00;
136 }
137
138 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
139 if (IS_ERR(skb)) {
140 err = PTR_ERR(skb);
141 if (err == -ENODATA)
142 goto done;
143 bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)",
144 err);
145 return err;
146 }
147 kfree_skb(skb);
148
149done:
150 btintel_set_event_mask(hdev, enable);
151 return 0;
152}
153EXPORT_SYMBOL_GPL(btintel_set_diag);
154
155int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
156{
157 int err, ret;
158
159 err = btintel_enter_mfg(hdev);
160 if (err)
161 return err;
162
163 ret = btintel_set_diag(hdev, enable);
164
165 err = btintel_exit_mfg(hdev, false, false);
166 if (err)
167 return err;
168
169 return ret;
170}
171EXPORT_SYMBOL_GPL(btintel_set_diag_mfg);
172
173void btintel_hw_error(struct hci_dev *hdev, u8 code)
174{
175 struct sk_buff *skb;
176 u8 type = 0x00;
177
178 bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
179
180 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
181 if (IS_ERR(skb)) {
182 bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
183 PTR_ERR(skb));
184 return;
185 }
186 kfree_skb(skb);
187
188 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
189 if (IS_ERR(skb)) {
190 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
191 PTR_ERR(skb));
192 return;
193 }
194
195 if (skb->len != 13) {
196 bt_dev_err(hdev, "Exception info size mismatch");
197 kfree_skb(skb);
198 return;
199 }
200
201 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
202
203 kfree_skb(skb);
204}
205EXPORT_SYMBOL_GPL(btintel_hw_error);
206
207void btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
208{
209 const char *variant;
210
211 switch (ver->fw_variant) {
212 case 0x06:
213 variant = "Bootloader";
214 break;
215 case 0x23:
216 variant = "Firmware";
217 break;
218 default:
219 return;
220 }
221
222 bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u",
223 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
224 ver->fw_build_num, ver->fw_build_ww,
225 2000 + ver->fw_build_yy);
226}
227EXPORT_SYMBOL_GPL(btintel_version_info);
228
229int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
230 const void *param)
231{
232 while (plen > 0) {
233 struct sk_buff *skb;
234 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
235
236 cmd_param[0] = fragment_type;
237 memcpy(cmd_param + 1, param, fragment_len);
238
239 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
240 cmd_param, HCI_INIT_TIMEOUT);
241 if (IS_ERR(skb))
242 return PTR_ERR(skb);
243
244 kfree_skb(skb);
245
246 plen -= fragment_len;
247 param += fragment_len;
248 }
249
250 return 0;
251}
252EXPORT_SYMBOL_GPL(btintel_secure_send);
253
254int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
255{
256 const struct firmware *fw;
257 struct sk_buff *skb;
258 const u8 *fw_ptr;
259 int err;
260
261 err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
262 if (err < 0) {
263 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
264 ddc_name, err);
265 return err;
266 }
267
268 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
269
270 fw_ptr = fw->data;
271
272 /* DDC file contains one or more DDC structure which has
273 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
274 */
275 while (fw->size > fw_ptr - fw->data) {
276 u8 cmd_plen = fw_ptr[0] + sizeof(u8);
277
278 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
279 HCI_INIT_TIMEOUT);
280 if (IS_ERR(skb)) {
281 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
282 PTR_ERR(skb));
283 release_firmware(fw);
284 return PTR_ERR(skb);
285 }
286
287 fw_ptr += cmd_plen;
288 kfree_skb(skb);
289 }
290
291 release_firmware(fw);
292
293 bt_dev_info(hdev, "Applying Intel DDC parameters completed");
294
295 return 0;
296}
297EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
298
299int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
300{
301 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
302 struct sk_buff *skb;
303 int err;
304
305 if (debug)
306 mask[1] |= 0x62;
307
308 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
309 if (IS_ERR(skb)) {
310 err = PTR_ERR(skb);
311 bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err);
312 return err;
313 }
314 kfree_skb(skb);
315
316 return 0;
317}
318EXPORT_SYMBOL_GPL(btintel_set_event_mask);
319
320int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
321{
322 int err, ret;
323
324 err = btintel_enter_mfg(hdev);
325 if (err)
326 return err;
327
328 ret = btintel_set_event_mask(hdev, debug);
329
330 err = btintel_exit_mfg(hdev, false, false);
331 if (err)
332 return err;
333
334 return ret;
335}
336EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
337
338int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
339{
340 struct sk_buff *skb;
341
342 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
343 if (IS_ERR(skb)) {
344 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
345 PTR_ERR(skb));
346 return PTR_ERR(skb);
347 }
348
349 if (skb->len != sizeof(*ver)) {
350 bt_dev_err(hdev, "Intel version event size mismatch");
351 kfree_skb(skb);
352 return -EILSEQ;
353 }
354
355 memcpy(ver, skb->data, sizeof(*ver));
356
357 kfree_skb(skb);
358
359 return 0;
360}
361EXPORT_SYMBOL_GPL(btintel_read_version);
362
363/* ------- REGMAP IBT SUPPORT ------- */
364
365#define IBT_REG_MODE_8BIT 0x00
366#define IBT_REG_MODE_16BIT 0x01
367#define IBT_REG_MODE_32BIT 0x02
368
369struct regmap_ibt_context {
370 struct hci_dev *hdev;
371 __u16 op_write;
372 __u16 op_read;
373};
374
375struct ibt_cp_reg_access {
376 __le32 addr;
377 __u8 mode;
378 __u8 len;
379 __u8 data[];
380} __packed;
381
382struct ibt_rp_reg_access {
383 __u8 status;
384 __le32 addr;
385 __u8 data[];
386} __packed;
387
388static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
389 void *val, size_t val_size)
390{
391 struct regmap_ibt_context *ctx = context;
392 struct ibt_cp_reg_access cp;
393 struct ibt_rp_reg_access *rp;
394 struct sk_buff *skb;
395 int err = 0;
396
397 if (reg_size != sizeof(__le32))
398 return -EINVAL;
399
400 switch (val_size) {
401 case 1:
402 cp.mode = IBT_REG_MODE_8BIT;
403 break;
404 case 2:
405 cp.mode = IBT_REG_MODE_16BIT;
406 break;
407 case 4:
408 cp.mode = IBT_REG_MODE_32BIT;
409 break;
410 default:
411 return -EINVAL;
412 }
413
414 /* regmap provides a little-endian formatted addr */
415 cp.addr = *(__le32 *)addr;
416 cp.len = val_size;
417
418 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
419
420 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
421 HCI_CMD_TIMEOUT);
422 if (IS_ERR(skb)) {
423 err = PTR_ERR(skb);
424 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
425 le32_to_cpu(cp.addr), err);
426 return err;
427 }
428
429 if (skb->len != sizeof(*rp) + val_size) {
430 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
431 le32_to_cpu(cp.addr));
432 err = -EINVAL;
433 goto done;
434 }
435
436 rp = (struct ibt_rp_reg_access *)skb->data;
437
438 if (rp->addr != cp.addr) {
439 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
440 le32_to_cpu(rp->addr));
441 err = -EINVAL;
442 goto done;
443 }
444
445 memcpy(val, rp->data, val_size);
446
447done:
448 kfree_skb(skb);
449 return err;
450}
451
452static int regmap_ibt_gather_write(void *context,
453 const void *addr, size_t reg_size,
454 const void *val, size_t val_size)
455{
456 struct regmap_ibt_context *ctx = context;
457 struct ibt_cp_reg_access *cp;
458 struct sk_buff *skb;
459 int plen = sizeof(*cp) + val_size;
460 u8 mode;
461 int err = 0;
462
463 if (reg_size != sizeof(__le32))
464 return -EINVAL;
465
466 switch (val_size) {
467 case 1:
468 mode = IBT_REG_MODE_8BIT;
469 break;
470 case 2:
471 mode = IBT_REG_MODE_16BIT;
472 break;
473 case 4:
474 mode = IBT_REG_MODE_32BIT;
475 break;
476 default:
477 return -EINVAL;
478 }
479
480 cp = kmalloc(plen, GFP_KERNEL);
481 if (!cp)
482 return -ENOMEM;
483
484 /* regmap provides a little-endian formatted addr/value */
485 cp->addr = *(__le32 *)addr;
486 cp->mode = mode;
487 cp->len = val_size;
488 memcpy(&cp->data, val, val_size);
489
490 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
491
492 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
493 if (IS_ERR(skb)) {
494 err = PTR_ERR(skb);
495 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
496 le32_to_cpu(cp->addr), err);
497 goto done;
498 }
499 kfree_skb(skb);
500
501done:
502 kfree(cp);
503 return err;
504}
505
506static int regmap_ibt_write(void *context, const void *data, size_t count)
507{
508 /* data contains register+value, since we only support 32bit addr,
509 * minimum data size is 4 bytes.
510 */
511 if (WARN_ONCE(count < 4, "Invalid register access"))
512 return -EINVAL;
513
514 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
515}
516
517static void regmap_ibt_free_context(void *context)
518{
519 kfree(context);
520}
521
522static struct regmap_bus regmap_ibt = {
523 .read = regmap_ibt_read,
524 .write = regmap_ibt_write,
525 .gather_write = regmap_ibt_gather_write,
526 .free_context = regmap_ibt_free_context,
527 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
528 .val_format_endian_default = REGMAP_ENDIAN_LITTLE,
529};
530
531/* Config is the same for all register regions */
532static const struct regmap_config regmap_ibt_cfg = {
533 .name = "btintel_regmap",
534 .reg_bits = 32,
535 .val_bits = 32,
536};
537
538struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
539 u16 opcode_write)
540{
541 struct regmap_ibt_context *ctx;
542
543 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
544 opcode_write);
545
546 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
547 if (!ctx)
548 return ERR_PTR(-ENOMEM);
549
550 ctx->op_read = opcode_read;
551 ctx->op_write = opcode_write;
552 ctx->hdev = hdev;
553
554 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg);
555}
556EXPORT_SYMBOL_GPL(btintel_regmap_init);
557
558int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
559{
560 struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 };
561 struct sk_buff *skb;
562
563 params.boot_param = cpu_to_le32(boot_param);
564
565 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), ¶ms,
566 HCI_INIT_TIMEOUT);
567 if (IS_ERR(skb)) {
568 bt_dev_err(hdev, "Failed to send Intel Reset command");
569 return PTR_ERR(skb);
570 }
571
572 kfree_skb(skb);
573
574 return 0;
575}
576EXPORT_SYMBOL_GPL(btintel_send_intel_reset);
577
578int btintel_read_boot_params(struct hci_dev *hdev,
579 struct intel_boot_params *params)
580{
581 struct sk_buff *skb;
582
583 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
584 if (IS_ERR(skb)) {
585 bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)",
586 PTR_ERR(skb));
587 return PTR_ERR(skb);
588 }
589
590 if (skb->len != sizeof(*params)) {
591 bt_dev_err(hdev, "Intel boot parameters size mismatch");
592 kfree_skb(skb);
593 return -EILSEQ;
594 }
595
596 memcpy(params, skb->data, sizeof(*params));
597
598 kfree_skb(skb);
599
600 if (params->status) {
601 bt_dev_err(hdev, "Intel boot parameters command failed (%02x)",
602 params->status);
603 return -bt_to_errno(params->status);
604 }
605
606 bt_dev_info(hdev, "Device revision is %u",
607 le16_to_cpu(params->dev_revid));
608
609 bt_dev_info(hdev, "Secure boot is %s",
610 params->secure_boot ? "enabled" : "disabled");
611
612 bt_dev_info(hdev, "OTP lock is %s",
613 params->otp_lock ? "enabled" : "disabled");
614
615 bt_dev_info(hdev, "API lock is %s",
616 params->api_lock ? "enabled" : "disabled");
617
618 bt_dev_info(hdev, "Debug lock is %s",
619 params->debug_lock ? "enabled" : "disabled");
620
621 bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
622 params->min_fw_build_nn, params->min_fw_build_cw,
623 2000 + params->min_fw_build_yy);
624
625 return 0;
626}
627EXPORT_SYMBOL_GPL(btintel_read_boot_params);
628
629int btintel_download_firmware(struct hci_dev *hdev, const struct firmware *fw,
630 u32 *boot_param)
631{
632 int err;
633 const u8 *fw_ptr;
634 u32 frag_len;
635
636 /* Start the firmware download transaction with the Init fragment
637 * represented by the 128 bytes of CSS header.
638 */
639 err = btintel_secure_send(hdev, 0x00, 128, fw->data);
640 if (err < 0) {
641 bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
642 goto done;
643 }
644
645 /* Send the 256 bytes of public key information from the firmware
646 * as the PKey fragment.
647 */
648 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
649 if (err < 0) {
650 bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
651 goto done;
652 }
653
654 /* Send the 256 bytes of signature information from the firmware
655 * as the Sign fragment.
656 */
657 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
658 if (err < 0) {
659 bt_dev_err(hdev, "Failed to send firmware signature (%d)", err);
660 goto done;
661 }
662
663 fw_ptr = fw->data + 644;
664 frag_len = 0;
665
666 while (fw_ptr - fw->data < fw->size) {
667 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
668
669 /* Each SKU has a different reset parameter to use in the
670 * HCI_Intel_Reset command and it is embedded in the firmware
671 * data. So, instead of using static value per SKU, check
672 * the firmware data and save it for later use.
673 */
674 if (le16_to_cpu(cmd->opcode) == 0xfc0e) {
675 /* The boot parameter is the first 32-bit value
676 * and rest of 3 octets are reserved.
677 */
678 *boot_param = get_unaligned_le32(fw_ptr + sizeof(*cmd));
679
680 bt_dev_dbg(hdev, "boot_param=0x%x", *boot_param);
681 }
682
683 frag_len += sizeof(*cmd) + cmd->plen;
684
685 /* The parameter length of the secure send command requires
686 * a 4 byte alignment. It happens so that the firmware file
687 * contains proper Intel_NOP commands to align the fragments
688 * as needed.
689 *
690 * Send set of commands with 4 byte alignment from the
691 * firmware data buffer as a single Data fragement.
692 */
693 if (!(frag_len % 4)) {
694 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
695 if (err < 0) {
696 bt_dev_err(hdev,
697 "Failed to send firmware data (%d)",
698 err);
699 goto done;
700 }
701
702 fw_ptr += frag_len;
703 frag_len = 0;
704 }
705 }
706
707done:
708 return err;
709}
710EXPORT_SYMBOL_GPL(btintel_download_firmware);
711
712void btintel_reset_to_bootloader(struct hci_dev *hdev)
713{
714 struct intel_reset params;
715 struct sk_buff *skb;
716
717 /* Send Intel Reset command. This will result in
718 * re-enumeration of BT controller.
719 *
720 * Intel Reset parameter description:
721 * reset_type : 0x00 (Soft reset),
722 * 0x01 (Hard reset)
723 * patch_enable : 0x00 (Do not enable),
724 * 0x01 (Enable)
725 * ddc_reload : 0x00 (Do not reload),
726 * 0x01 (Reload)
727 * boot_option: 0x00 (Current image),
728 * 0x01 (Specified boot address)
729 * boot_param: Boot address
730 *
731 */
732 params.reset_type = 0x01;
733 params.patch_enable = 0x01;
734 params.ddc_reload = 0x01;
735 params.boot_option = 0x00;
736 params.boot_param = cpu_to_le32(0x00000000);
737
738 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params),
739 ¶ms, HCI_INIT_TIMEOUT);
740 if (IS_ERR(skb)) {
741 bt_dev_err(hdev, "FW download error recovery failed (%ld)",
742 PTR_ERR(skb));
743 return;
744 }
745 bt_dev_info(hdev, "Intel reset sent to retry FW download");
746 kfree_skb(skb);
747
748 /* Current Intel BT controllers(ThP/JfP) hold the USB reset
749 * lines for 2ms when it receives Intel Reset in bootloader mode.
750 * Whereas, the upcoming Intel BT controllers will hold USB reset
751 * for 150ms. To keep the delay generic, 150ms is chosen here.
752 */
753 msleep(150);
754}
755EXPORT_SYMBOL_GPL(btintel_reset_to_bootloader);
756
757int btintel_read_debug_features(struct hci_dev *hdev,
758 struct intel_debug_features *features)
759{
760 struct sk_buff *skb;
761 u8 page_no = 1;
762
763 /* Intel controller supports two pages, each page is of 128-bit
764 * feature bit mask. And each bit defines specific feature support
765 */
766 skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no,
767 HCI_INIT_TIMEOUT);
768 if (IS_ERR(skb)) {
769 bt_dev_err(hdev, "Reading supported features failed (%ld)",
770 PTR_ERR(skb));
771 return PTR_ERR(skb);
772 }
773
774 if (skb->len != (sizeof(features->page1) + 3)) {
775 bt_dev_err(hdev, "Supported features event size mismatch");
776 kfree_skb(skb);
777 return -EILSEQ;
778 }
779
780 memcpy(features->page1, skb->data + 3, sizeof(features->page1));
781
782 /* Read the supported features page2 if required in future.
783 */
784 kfree_skb(skb);
785 return 0;
786}
787EXPORT_SYMBOL_GPL(btintel_read_debug_features);
788
789int btintel_set_debug_features(struct hci_dev *hdev,
790 const struct intel_debug_features *features)
791{
792 u8 mask[11] = { 0x0a, 0x92, 0x02, 0x07, 0x00, 0x00, 0x00, 0x00,
793 0x00, 0x00, 0x00 };
794 struct sk_buff *skb;
795
796 if (!features)
797 return -EINVAL;
798
799 if (!(features->page1[0] & 0x3f)) {
800 bt_dev_info(hdev, "Telemetry exception format not supported");
801 return 0;
802 }
803
804 skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
805 if (IS_ERR(skb)) {
806 bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
807 PTR_ERR(skb));
808 return PTR_ERR(skb);
809 }
810
811 kfree_skb(skb);
812 return 0;
813}
814EXPORT_SYMBOL_GPL(btintel_set_debug_features);
815
816MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
817MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
818MODULE_VERSION(VERSION);
819MODULE_LICENSE("GPL");
820MODULE_FIRMWARE("intel/ibt-11-5.sfi");
821MODULE_FIRMWARE("intel/ibt-11-5.ddc");
822MODULE_FIRMWARE("intel/ibt-12-16.sfi");
823MODULE_FIRMWARE("intel/ibt-12-16.ddc");
1/*
2 *
3 * Bluetooth support for Intel devices
4 *
5 * Copyright (C) 2015 Intel Corporation
6 *
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 *
22 */
23
24#include <linux/module.h>
25#include <linux/firmware.h>
26#include <linux/regmap.h>
27
28#include <net/bluetooth/bluetooth.h>
29#include <net/bluetooth/hci_core.h>
30
31#include "btintel.h"
32
33#define VERSION "0.1"
34
35#define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
36
37int btintel_check_bdaddr(struct hci_dev *hdev)
38{
39 struct hci_rp_read_bd_addr *bda;
40 struct sk_buff *skb;
41
42 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
43 HCI_INIT_TIMEOUT);
44 if (IS_ERR(skb)) {
45 int err = PTR_ERR(skb);
46 BT_ERR("%s: Reading Intel device address failed (%d)",
47 hdev->name, err);
48 return err;
49 }
50
51 if (skb->len != sizeof(*bda)) {
52 BT_ERR("%s: Intel device address length mismatch", hdev->name);
53 kfree_skb(skb);
54 return -EIO;
55 }
56
57 bda = (struct hci_rp_read_bd_addr *)skb->data;
58
59 /* For some Intel based controllers, the default Bluetooth device
60 * address 00:03:19:9E:8B:00 can be found. These controllers are
61 * fully operational, but have the danger of duplicate addresses
62 * and that in turn can cause problems with Bluetooth operation.
63 */
64 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
65 BT_ERR("%s: Found Intel default device address (%pMR)",
66 hdev->name, &bda->bdaddr);
67 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
68 }
69
70 kfree_skb(skb);
71
72 return 0;
73}
74EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
75
76int btintel_enter_mfg(struct hci_dev *hdev)
77{
78 const u8 param[] = { 0x01, 0x00 };
79 struct sk_buff *skb;
80
81 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
82 if (IS_ERR(skb)) {
83 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
84 PTR_ERR(skb));
85 return PTR_ERR(skb);
86 }
87 kfree_skb(skb);
88
89 return 0;
90}
91EXPORT_SYMBOL_GPL(btintel_enter_mfg);
92
93int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
94{
95 u8 param[] = { 0x00, 0x00 };
96 struct sk_buff *skb;
97
98 /* The 2nd command parameter specifies the manufacturing exit method:
99 * 0x00: Just disable the manufacturing mode (0x00).
100 * 0x01: Disable manufacturing mode and reset with patches deactivated.
101 * 0x02: Disable manufacturing mode and reset with patches activated.
102 */
103 if (reset)
104 param[1] |= patched ? 0x02 : 0x01;
105
106 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
107 if (IS_ERR(skb)) {
108 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
109 PTR_ERR(skb));
110 return PTR_ERR(skb);
111 }
112 kfree_skb(skb);
113
114 return 0;
115}
116EXPORT_SYMBOL_GPL(btintel_exit_mfg);
117
118int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
119{
120 struct sk_buff *skb;
121 int err;
122
123 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
124 if (IS_ERR(skb)) {
125 err = PTR_ERR(skb);
126 BT_ERR("%s: Changing Intel device address failed (%d)",
127 hdev->name, err);
128 return err;
129 }
130 kfree_skb(skb);
131
132 return 0;
133}
134EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
135
136int btintel_set_diag(struct hci_dev *hdev, bool enable)
137{
138 struct sk_buff *skb;
139 u8 param[3];
140 int err;
141
142 if (enable) {
143 param[0] = 0x03;
144 param[1] = 0x03;
145 param[2] = 0x03;
146 } else {
147 param[0] = 0x00;
148 param[1] = 0x00;
149 param[2] = 0x00;
150 }
151
152 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
153 if (IS_ERR(skb)) {
154 err = PTR_ERR(skb);
155 if (err == -ENODATA)
156 goto done;
157 BT_ERR("%s: Changing Intel diagnostic mode failed (%d)",
158 hdev->name, err);
159 return err;
160 }
161 kfree_skb(skb);
162
163done:
164 btintel_set_event_mask(hdev, enable);
165 return 0;
166}
167EXPORT_SYMBOL_GPL(btintel_set_diag);
168
169int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
170{
171 int err, ret;
172
173 err = btintel_enter_mfg(hdev);
174 if (err)
175 return err;
176
177 ret = btintel_set_diag(hdev, enable);
178
179 err = btintel_exit_mfg(hdev, false, false);
180 if (err)
181 return err;
182
183 return ret;
184}
185EXPORT_SYMBOL_GPL(btintel_set_diag_mfg);
186
187void btintel_hw_error(struct hci_dev *hdev, u8 code)
188{
189 struct sk_buff *skb;
190 u8 type = 0x00;
191
192 BT_ERR("%s: Hardware error 0x%2.2x", hdev->name, code);
193
194 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
195 if (IS_ERR(skb)) {
196 BT_ERR("%s: Reset after hardware error failed (%ld)",
197 hdev->name, PTR_ERR(skb));
198 return;
199 }
200 kfree_skb(skb);
201
202 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
203 if (IS_ERR(skb)) {
204 BT_ERR("%s: Retrieving Intel exception info failed (%ld)",
205 hdev->name, PTR_ERR(skb));
206 return;
207 }
208
209 if (skb->len != 13) {
210 BT_ERR("%s: Exception info size mismatch", hdev->name);
211 kfree_skb(skb);
212 return;
213 }
214
215 BT_ERR("%s: Exception info %s", hdev->name, (char *)(skb->data + 1));
216
217 kfree_skb(skb);
218}
219EXPORT_SYMBOL_GPL(btintel_hw_error);
220
221void btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
222{
223 const char *variant;
224
225 switch (ver->fw_variant) {
226 case 0x06:
227 variant = "Bootloader";
228 break;
229 case 0x23:
230 variant = "Firmware";
231 break;
232 default:
233 return;
234 }
235
236 BT_INFO("%s: %s revision %u.%u build %u week %u %u", hdev->name,
237 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
238 ver->fw_build_num, ver->fw_build_ww, 2000 + ver->fw_build_yy);
239}
240EXPORT_SYMBOL_GPL(btintel_version_info);
241
242int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
243 const void *param)
244{
245 while (plen > 0) {
246 struct sk_buff *skb;
247 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
248
249 cmd_param[0] = fragment_type;
250 memcpy(cmd_param + 1, param, fragment_len);
251
252 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
253 cmd_param, HCI_INIT_TIMEOUT);
254 if (IS_ERR(skb))
255 return PTR_ERR(skb);
256
257 kfree_skb(skb);
258
259 plen -= fragment_len;
260 param += fragment_len;
261 }
262
263 return 0;
264}
265EXPORT_SYMBOL_GPL(btintel_secure_send);
266
267int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
268{
269 const struct firmware *fw;
270 struct sk_buff *skb;
271 const u8 *fw_ptr;
272 int err;
273
274 err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
275 if (err < 0) {
276 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
277 ddc_name, err);
278 return err;
279 }
280
281 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
282
283 fw_ptr = fw->data;
284
285 /* DDC file contains one or more DDC structure which has
286 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
287 */
288 while (fw->size > fw_ptr - fw->data) {
289 u8 cmd_plen = fw_ptr[0] + sizeof(u8);
290
291 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
292 HCI_INIT_TIMEOUT);
293 if (IS_ERR(skb)) {
294 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
295 PTR_ERR(skb));
296 release_firmware(fw);
297 return PTR_ERR(skb);
298 }
299
300 fw_ptr += cmd_plen;
301 kfree_skb(skb);
302 }
303
304 release_firmware(fw);
305
306 bt_dev_info(hdev, "Applying Intel DDC parameters completed");
307
308 return 0;
309}
310EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
311
312int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
313{
314 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
315 struct sk_buff *skb;
316 int err;
317
318 if (debug)
319 mask[1] |= 0x62;
320
321 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
322 if (IS_ERR(skb)) {
323 err = PTR_ERR(skb);
324 BT_ERR("%s: Setting Intel event mask failed (%d)",
325 hdev->name, err);
326 return err;
327 }
328 kfree_skb(skb);
329
330 return 0;
331}
332EXPORT_SYMBOL_GPL(btintel_set_event_mask);
333
334int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
335{
336 int err, ret;
337
338 err = btintel_enter_mfg(hdev);
339 if (err)
340 return err;
341
342 ret = btintel_set_event_mask(hdev, debug);
343
344 err = btintel_exit_mfg(hdev, false, false);
345 if (err)
346 return err;
347
348 return ret;
349}
350EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
351
352int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
353{
354 struct sk_buff *skb;
355
356 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
357 if (IS_ERR(skb)) {
358 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
359 PTR_ERR(skb));
360 return PTR_ERR(skb);
361 }
362
363 if (skb->len != sizeof(*ver)) {
364 bt_dev_err(hdev, "Intel version event size mismatch");
365 kfree_skb(skb);
366 return -EILSEQ;
367 }
368
369 memcpy(ver, skb->data, sizeof(*ver));
370
371 kfree_skb(skb);
372
373 return 0;
374}
375EXPORT_SYMBOL_GPL(btintel_read_version);
376
377/* ------- REGMAP IBT SUPPORT ------- */
378
379#define IBT_REG_MODE_8BIT 0x00
380#define IBT_REG_MODE_16BIT 0x01
381#define IBT_REG_MODE_32BIT 0x02
382
383struct regmap_ibt_context {
384 struct hci_dev *hdev;
385 __u16 op_write;
386 __u16 op_read;
387};
388
389struct ibt_cp_reg_access {
390 __le32 addr;
391 __u8 mode;
392 __u8 len;
393 __u8 data[0];
394} __packed;
395
396struct ibt_rp_reg_access {
397 __u8 status;
398 __le32 addr;
399 __u8 data[0];
400} __packed;
401
402static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
403 void *val, size_t val_size)
404{
405 struct regmap_ibt_context *ctx = context;
406 struct ibt_cp_reg_access cp;
407 struct ibt_rp_reg_access *rp;
408 struct sk_buff *skb;
409 int err = 0;
410
411 if (reg_size != sizeof(__le32))
412 return -EINVAL;
413
414 switch (val_size) {
415 case 1:
416 cp.mode = IBT_REG_MODE_8BIT;
417 break;
418 case 2:
419 cp.mode = IBT_REG_MODE_16BIT;
420 break;
421 case 4:
422 cp.mode = IBT_REG_MODE_32BIT;
423 break;
424 default:
425 return -EINVAL;
426 }
427
428 /* regmap provides a little-endian formatted addr */
429 cp.addr = *(__le32 *)addr;
430 cp.len = val_size;
431
432 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
433
434 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
435 HCI_CMD_TIMEOUT);
436 if (IS_ERR(skb)) {
437 err = PTR_ERR(skb);
438 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
439 le32_to_cpu(cp.addr), err);
440 return err;
441 }
442
443 if (skb->len != sizeof(*rp) + val_size) {
444 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
445 le32_to_cpu(cp.addr));
446 err = -EINVAL;
447 goto done;
448 }
449
450 rp = (struct ibt_rp_reg_access *)skb->data;
451
452 if (rp->addr != cp.addr) {
453 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
454 le32_to_cpu(rp->addr));
455 err = -EINVAL;
456 goto done;
457 }
458
459 memcpy(val, rp->data, val_size);
460
461done:
462 kfree_skb(skb);
463 return err;
464}
465
466static int regmap_ibt_gather_write(void *context,
467 const void *addr, size_t reg_size,
468 const void *val, size_t val_size)
469{
470 struct regmap_ibt_context *ctx = context;
471 struct ibt_cp_reg_access *cp;
472 struct sk_buff *skb;
473 int plen = sizeof(*cp) + val_size;
474 u8 mode;
475 int err = 0;
476
477 if (reg_size != sizeof(__le32))
478 return -EINVAL;
479
480 switch (val_size) {
481 case 1:
482 mode = IBT_REG_MODE_8BIT;
483 break;
484 case 2:
485 mode = IBT_REG_MODE_16BIT;
486 break;
487 case 4:
488 mode = IBT_REG_MODE_32BIT;
489 break;
490 default:
491 return -EINVAL;
492 }
493
494 cp = kmalloc(plen, GFP_KERNEL);
495 if (!cp)
496 return -ENOMEM;
497
498 /* regmap provides a little-endian formatted addr/value */
499 cp->addr = *(__le32 *)addr;
500 cp->mode = mode;
501 cp->len = val_size;
502 memcpy(&cp->data, val, val_size);
503
504 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
505
506 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
507 if (IS_ERR(skb)) {
508 err = PTR_ERR(skb);
509 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
510 le32_to_cpu(cp->addr), err);
511 goto done;
512 }
513 kfree_skb(skb);
514
515done:
516 kfree(cp);
517 return err;
518}
519
520static int regmap_ibt_write(void *context, const void *data, size_t count)
521{
522 /* data contains register+value, since we only support 32bit addr,
523 * minimum data size is 4 bytes.
524 */
525 if (WARN_ONCE(count < 4, "Invalid register access"))
526 return -EINVAL;
527
528 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
529}
530
531static void regmap_ibt_free_context(void *context)
532{
533 kfree(context);
534}
535
536static struct regmap_bus regmap_ibt = {
537 .read = regmap_ibt_read,
538 .write = regmap_ibt_write,
539 .gather_write = regmap_ibt_gather_write,
540 .free_context = regmap_ibt_free_context,
541 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
542 .val_format_endian_default = REGMAP_ENDIAN_LITTLE,
543};
544
545/* Config is the same for all register regions */
546static const struct regmap_config regmap_ibt_cfg = {
547 .name = "btintel_regmap",
548 .reg_bits = 32,
549 .val_bits = 32,
550};
551
552struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
553 u16 opcode_write)
554{
555 struct regmap_ibt_context *ctx;
556
557 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
558 opcode_write);
559
560 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
561 if (!ctx)
562 return ERR_PTR(-ENOMEM);
563
564 ctx->op_read = opcode_read;
565 ctx->op_write = opcode_write;
566 ctx->hdev = hdev;
567
568 return regmap_init(&hdev->dev, ®map_ibt, ctx, ®map_ibt_cfg);
569}
570EXPORT_SYMBOL_GPL(btintel_regmap_init);
571
572MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
573MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
574MODULE_VERSION(VERSION);
575MODULE_LICENSE("GPL");
576MODULE_FIRMWARE("intel/ibt-11-5.sfi");
577MODULE_FIRMWARE("intel/ibt-11-5.ddc");